Policy —

No rules: Internet security a Hobbesian “state of nature”

Life in cyberspace can be nasty, brutish, and short. So says a new report (PDF) on international cybersecurity, which argues that the Internet is a Hobbesian "state of nature" where anything goes, where even government attacks maintain "plausible deniability," and where 80 percent of industrial control software is hooked into an IP network.

It's also a world where the US is both a model and a bully. When 600 senior IT security managers were asked which state actor was most likely to engage in cyberattacks, the top response was the US (36 percent), even among traditional US allies. On the other hand, US security practices were some of the world's most admired.

Hack attacks

The report was funded by security vendor McAfee, but it was conducted by a respected DC think tank, the Center for Strategic and International Studies. It paints a stark picture of the security problems faced by major enterprises and infrastructure groups, and some of the statistics are downright shocking.

54 percent of surveyed executives experienced "large-scale denial of service attacks by [a] high level adversary like organized crime, terrorists, or nation-state"

57 percent said they had suffered DNS poisoning, in half the cases multiple times per month

If the overall news on Internet security is grim, the news from specific sectors and countries can be downright horrific. For instance, take that last stat on extortion schemes. Hackers infiltrate a network, then threaten a company with chaos, a data leak, or the disruption of operations unless they are paid. It happens more than you might think, despite corporate unwillingness to publicize such attempts.

According to a separate CSIS document (PDF) that outlines major hack attacks over the last few years, "a CIA official said the agency knew of four incidents overseas where hackers were able to disrupt, or threaten to disrupt, the power supply for four foreign cities" back in 2008. CSIS notes that there are unconfirmed reports that Brazilian power outages in 2005 and 2007 were actually caused by hackers, likely acting on an extortion attempt.

But such events are rare in the US; only 12 percent of US executives said that extortion had been a problem. Move to India, however, and the number skyrockets to 40 percent. When it comes to the type of business affected, power, oil, and gas companies had much higher rates of extortion attempts.

Part of the problem comes from the fact that so much industrial machinery and control software (such as SCADA systems) is hooked into IP networks now. The survey found that 76 percent of SCADA devices were hooked into some kind of IP network, often accessible in some way from the outside Internet. This was despite the fact that half of the security managers recognized this as a risk.

The government-funded Idaho National Laboratory focuses on SCADA security and runs the "National SCADA Test Bed," which recreates industrial control systems to test them for security problems. In 2007, the lab produced a video that leaked to the press and showed a large turbine shaking apart and belching smoke after it was issued dangerous commands through a SCADA system. The video provided a graphic demonstration of how an Internet hacker can act on real-world infrastructure from afar.

Despite all the glum news, though, and much talk about a Hobbesian state of nature of a "Wild West," the report notes that there's not much panic among security pros. Two-thirds of all respondents said that their security resources were "completely" or "mostly" adequate, though recession-driven cuts are trimming security budgets.

Given the resources involved on the "black hat" side, though, there's no room for complacency. CSIS reminds us that in 2006, "Chinese hackers were thought to be responsible for shutting down the House of Commons computer system." In 2007, "The British Security Service, the French Prime Minister’s Office and the Office of German Chancellor Angela Merkel all complained to China about intrusion on their government networks. Merkel raised the matter with China’s President." In 2008, "hackers breached networks at Royal Bank of Scotland’s WorldPay, allowing them to clone 100 ATM cards and withdraw $9 million dollars from machines in 49 cities."

CSIS was itself hacked by foreign hackers in 2008. "Even tiny CSIS was hacked in December by unknown foreign intruders," said the group. "They probably assumed that some CSIS staff would work for the new administration and may have though it might be interesting to read their emails beforehand."

Perhaps the strangest major cyberattack came in early 2009, when "Indian Home Ministry officials warned that Pakistani hackers had placed malware on popular music download sites used by Indians in preparation for cyber attacks."

And given the difficulty in tracing any of these attacks, few are every prosecuted. "If cyberspace is the Wild West," the report concludes, "the sheriff needs to get to Dodge City."

But not even famed lawman Wyatt Earp would seem to be up for the task of cleaning up Dodge this time; the problems are global, governments are involved, and there's no obvious target to blast away at with your Peacemaker.

Beatrice, its a combination of two things, people trying to cut costs, and small rural iLEC's that charge outrageous amounts for local loop fee's so rather than get a private point to point T1 they instead put it on the internet. Hell, even dial-up links should be fine for this kind of stuff, they don't need that much bandwidth.

Maintaining a second private network for this type of equipment is not only massively expensive, but also gives people a false sense of security.

Perhaps utilities should invest in things like so-called 'data diodes', keeping control functionality on the device/system side, and just sending operational data out. Of course, that makes it harder to do things like automatically spin power plants up/down based on real-time pricing (which is exactly what gas turbines are good for).

This is another in a long series of FUD-oriented reports like this in recent years. It's obviously part of an effort to hype up a supposed crisis in computer security, and thereby scare the public into submitting to onerous restrictions. That's why we're seeing proposals for a "new internet" with forced authentication, and arguments for mass electronic surveillance based on crime, pornography, copyright, etc..

Governments and corporations are keen on shutting down freedom of communication, on any pretext they can think of - that's the essence of it. Corporations such as anti-virus vendors have profit motives aligned well enough with this goal to make them accomplices.

There are a few real internet security issues: basically DDOS, BGP issues and DNS hijacking. The rest are endpoint security issues and could be managed far better than they are today with better software, system administration and user training.

If the FUD were actually real, I would want to see much more progress in catching and prosecuting the criminals, not subjecting the innocent to such onerous actions as swhx7 details. Sadly, the laws have few and tiny sharp teeth. The arrogant impunity and anonymity with which the "black hats" seem to operate needs to be dramatically shattered, but without tossing all privacy at the same time. Kind of tough when various governments shield them from prosecution so their talents can be put to use performing cyber espionage.

Originally posted by Banzai51:If you're not scared of the internet, security consultants don't have a job.

One grain of salt please.

As much as I would like to agree, the simple fact is that with the size of botnets today, most passwords can be easily cracked in a short amount of time. This is doubly true is said passwords are simple dictionary words or based on dictionary words.

While I don't think major systems are that vulnerable, personal information is.

Air gaps are not terribly expensive when you plan for them from the get go. If you are laying pipes, or power wires or whatever, lay the fiber you need to control the system at the same time in the same or nearby channel. You don't need 10 GB Ethernet to control your system, more like 10 MB, if even that. The set up cost is higher, but maintaining it over time isn't as bad as you think. Not free, but typically affordable.

Frankly all systems that are considered primary to public safety (fire system for example), should have an air gap. It is the gold standard of internet security. If you can theoretically control it from home, so can anyone in the world.

As for hacking, if there are no consequences for it you can expect all entities to hack with no restriction. The only penalty that might make a country reconsider its' hacking laws is probably a real possiblity of being cut off from the Internet. That is what kept everyone mostly ethical in the early days of the Internet. If you don't think this is possible/pratical perhaps you may be right, but be prepared to just accept the way things are now.

This reminds me of a talk I had with someone working on a SCADA controller manufacturer :

It was a couple years ago, few month before Microsoft ended Windows 95 support. His company was selling controller for industrial processes, running under W95, with a high probability of being connected to the client general network (and not a separate "air gapped" network). He was arguing that this was not borderline criminal to sell systems so insecure.

Given the lifetime of this kind of controllers, you can target any industrial SME in Europe and there's a fat chance that you're a firewall away from massive physical damages, and possible worker injuries. Perfect for blackmail

An organization I once worked for had an air gap in their critical system (a SCADA system). You connect it to the internet (with a patch cable) so the vendor can remotely troubleshoot (when required). The rest of the time, there is an air gap. They do weekly backup of the system on the weekend when the plant is not running. They don't run anti-virus on any of the PCs in the system.

You've got to be a bloody idiot to have a (nuclear) power plant or anything that critical connected to the internet. An air gap should be mandatory but of course our governments are too weak willed to force big industry to do anything that might eat into The Bottom Line.